Powered by Redocly

User Passwords

List of users that should be allowed to login using password. If the same username is present in different tenants then the tenant name must be provided when invoking the login rpc.

If not entity-alias entry has been created for the user, then one will be autmatically created when the user is added to this list.

Create a new userpass

SecurityaccessToken
Request
query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Request Body schema:
name
required
string <email-address> ^["a-zA-Z0-9.!$'#%&*+-/=?^_`~{}]+@[a-zA-Z0-9....
fullname
string

Full name description of the user. Will be included as metadata in the resulting token.

password-min-length
integer <uint32>

Minimal length of password. Max length is 255.

enforce-password-policy
boolean

If set to true, meaning the password must meet at least 3 of the following conditions: uppercase letter, lowercase letter, numeric character, symbolic character.

password
required
string

The password is stored bcrypt encoded and cannot be retrieved in clear text once stored. It is possible to store a password that has been bcrypt encoded beforehand using, for example, the bcrypt-pw transit action.

totp
string

An optional totp service may be specified. If it is, then the user must supply a valid totp code that can be verified against the configured service, and the service must exist.

object

Metadata such as email, phone number, office etc can be associated with a user and will be included in tokens resulting from login on this entry.

no-totp-token-policies
Array of strings <name>

If this leaf-list is configured then the policies in this setting will be used in place of the token-policies until the user is authenticated together with a TOTP OTP. It can be used to limit the access of a user that has not yet enabled TOTP.

Array of objects
token-ttl
string <duration>

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

TTL of token. The lifetime can be extended using the renew operation.

token-max-ttl
string <duration>

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Max TTL a token can have before renewal is required.

token-policies
Array of strings <name>

These policies are associated with the token that results from successful login, in addition to any policies specified in the entity-alias and the entity.

token-auto-bound-cidrs
string <enumeration>
  • enumeration: - none: Do not set bound-cidrs automatically. (default) - host: Set bound-cidrs to the host address when token is created. - network: Set bound-cidrs to the network from where the token was created. The prefix defaults to 24, unless the subnet is specified in the token-bound-cidrs setting, in which case the same network prefix is used as in token-bound-cidrs.

Automatically set bound-cidrs of token to the host or network from where the token was created.

token-bound-cidrs
Array of strings <ip-address-and-prefix-length>
  • ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example 192.168.131.0/24.
  • ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example fe80::42:b6ff:feff:2f3/64. The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version.

Limit the use of the token to specific subnets. The token will be invalid if the src ip address originates from a subnet not listed in the token-bound-cidrs. All subnets are accepted if the list is empty.

token-explicit-max-ttl
string <duration>
Default: "0s"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Limits the possible lifetime of a token and will override ttl and max-ttl, as well as the lifetime of a periodic token.

token-no-default-policy
boolean
Default: false

Do not add the default policy to the token if this is set to true.

token-num-uses
integer <uint32>

Limit the number of times the token can be used.

token-period
string <duration>
Default: "0s"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

It allows a token to have an unlimited lifetime if renewed within the period. The default renewal TTL will be the period. A periodic token can still have a maximum life time if explicit-max-ttl is set. The renewable property needs to be true as well.

token-type
string <token-type>
Default: "default"
  • service
  • default
token-renewable
boolean
Default: true

Should the refresh operation be allowed for this token or not.

to (object) or sites (object) or deployments (object)
Responses
201

Created

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

409

Conflict (instance exists)

503

Service Unavailable (strongbox sealed)

post/v1/config/strongbox/authentication/userpass
Request samples 
name: admin@acme.com
fullname: Administrator
password-min-length: 8
enforce-password-policy: true
password: $2y$05$rYE97YZutOhgdDsbpglH6O4BNj6KHcW6IYlqbG8L8F6kjtjNh8HH6
totp: admin
metadata:
  email: joe@admin.com
no-totp-token-policies:
  - default
passkeys:
  - id: kuitxOmQrrVSpfZe6RARxw==
    aaguid: UxEm1ucXQVyTID2appgSOQ==
    publicKey: |
      -----BEGIN PUBLIC KEY-----
      MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEmq7BEEwL6SOm966B6N/tBWDqRvm
      OgCdKwE+gppHHQwX3fseZdeepfW8QjorxbReE5fc1JLc8uBY2bURHA+aIg==
      -----END PUBLIC KEY-----
token-ttl: 14d
token-max-ttl: 30d
token-policies:
  - root
token-auto-bound-cidrs: network
token-bound-cidrs:
  - 192.168.1.0/24
token-explicit-max-ttl: 0s
token-no-default-policy: false
token-num-uses: 0
token-period: 0s
token-type: default
token-renewable: true
distribute:
  to: all

Retrieve the configuration of all userpasses

SecurityaccessToken
Request
query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
keys
string <enumeration>

Retrieve only the keys for the list

Value: "true"
count
string <enumeration>

Retrieve only the number of elements in the list

Value: "true"
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

get/v1/config/strongbox/authentication/userpass
Response samples 
- name: admin@acme.com
  fullname: Administrator
  password-min-length: 8
  enforce-password-policy: true
  password: $2y$05$rYE97YZutOhgdDsbpglH6O4BNj6KHcW6IYlqbG8L8F6kjtjNh8HH6
  totp: admin
  metadata:
    email: joe@admin.com
  no-totp-token-policies:
    - default
  passkeys:
    - id: kuitxOmQrrVSpfZe6RARxw==
      aaguid: UxEm1ucXQVyTID2appgSOQ==
      publicKey: |
        -----BEGIN PUBLIC KEY-----
        MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEmq7BEEwL6SOm966B6N/tBWDqRvm
        OgCdKwE+gppHHQwX3fseZdeepfW8QjorxbReE5fc1JLc8uBY2bURHA+aIg==
        -----END PUBLIC KEY-----
  token-ttl: 14d
  token-max-ttl: 30d
  token-policies:
    - root
  token-auto-bound-cidrs: network
  token-bound-cidrs:
    - 192.168.1.0/24
  token-explicit-max-ttl: 0s
  token-no-default-policy: false
  token-num-uses: 0
  token-period: 0s
  token-type: default
  token-renewable: true
  distribute:
    to: all

Update the userpass settings

SecurityaccessToken
Request
query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Request Body schema:
password-min-length
integer <uint32>
Default: 8

Minimal length of password. Max length is 255.

enforce-password-policy
boolean

If set to true, meaning the password must meet at least 3 of the following conditions: uppercase letter, lowercase letter, numeric character, symbolic character.

allowed-failed-login-attempts
integer <uint16>
Default: 3

Number of failed login attempts allowed before user is locked out.

lockout-threshold
string <duration>
Default: "10m"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Duration a user is locked out after reaching lockout-threshold.

lockout-reset-threshold
string <duration>
Default: "30m"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Duration after which the failed login attempt counter is reset to zero. It should be set to a value greater than the lockout-duration.

passkey-rpid
string

Representing the relying party ID, typically the domain of the web server.

passkey-rpname
string

Name of relaying party as presented to the user.

passkey-login-url
string

Base url to login user when performing passkey-login from the command line. Username, tenant and terminal-id will be added.

passkey-challenge-ttl
string <duration>
Default: "5m"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

TTL of outstanding challenge

passkey-max-pending
integer <uint32>
Default: 1000

Maximum number of simultaneous passkey login sessions.

to (object) or sites (object) or deployments (object)
Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

patch/v1/config/strongbox/authentication/userpass-settings
Request samples 
password-min-length: 12
enforce-password-policy: true
allowed-failed-login-attempts: 5
lockout-threshold: 15m
lockout-reset-threshold: 45m
passkey-rpid: example.com
passkey-rpname: Example Corp
passkey-login-url: https://avassa.com
passkey-challenge-ttl: 5m
passkey-max-pending: 1000
distribute:
  to: all

Delete the userpass settings

SecurityaccessToken
Request
query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

delete/v1/config/strongbox/authentication/userpass-settings

Replace or create the userpass settings

SecurityaccessToken
Request
query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Request Body schema:
password-min-length
integer <uint32>
Default: 8

Minimal length of password. Max length is 255.

enforce-password-policy
boolean

If set to true, meaning the password must meet at least 3 of the following conditions: uppercase letter, lowercase letter, numeric character, symbolic character.

allowed-failed-login-attempts
integer <uint16>
Default: 3

Number of failed login attempts allowed before user is locked out.

lockout-threshold
string <duration>
Default: "10m"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Duration a user is locked out after reaching lockout-threshold.

lockout-reset-threshold
string <duration>
Default: "30m"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Duration after which the failed login attempt counter is reset to zero. It should be set to a value greater than the lockout-duration.

passkey-rpid
string

Representing the relying party ID, typically the domain of the web server.

passkey-rpname
string

Name of relaying party as presented to the user.

passkey-login-url
string

Base url to login user when performing passkey-login from the command line. Username, tenant and terminal-id will be added.

passkey-challenge-ttl
string <duration>
Default: "5m"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

TTL of outstanding challenge

passkey-max-pending
integer <uint32>
Default: 1000

Maximum number of simultaneous passkey login sessions.

to (object) or sites (object) or deployments (object)
Responses
201

Created

204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

put/v1/config/strongbox/authentication/userpass-settings
Request samples 
password-min-length: 12
enforce-password-policy: true
allowed-failed-login-attempts: 5
lockout-threshold: 15m
lockout-reset-threshold: 45m
passkey-rpid: example.com
passkey-rpname: Example Corp
passkey-login-url: https://avassa.com
passkey-challenge-ttl: 5m
passkey-max-pending: 1000
distribute:
  to: all

Retrieve the configuration of userpass settings

SecurityaccessToken
Request
query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Responses
200

OK

304

Not Modified

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

get/v1/config/strongbox/authentication/userpass-settings
Response samples 
password-min-length: 12
enforce-password-policy: true
allowed-failed-login-attempts: 5
lockout-threshold: 15m
lockout-reset-threshold: 45m
passkey-rpid: example.com
passkey-rpname: Example Corp
passkey-login-url: https://avassa.com
passkey-challenge-ttl: 5m
passkey-max-pending: 1000
distribute:
  to: all

Update an userpass

SecurityaccessToken
Request
path Parameters
userpass-name
required
string <email-address> ^["a-zA-Z0-9.!$'#%&*+-/=?^_`~{}]+@[a-zA-Z0-9....

name of userpass

query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Request Body schema:
name
required
string <email-address> ^["a-zA-Z0-9.!$'#%&*+-/=?^_`~{}]+@[a-zA-Z0-9....
fullname
string

Full name description of the user. Will be included as metadata in the resulting token.

password-min-length
integer <uint32>

Minimal length of password. Max length is 255.

enforce-password-policy
boolean

If set to true, meaning the password must meet at least 3 of the following conditions: uppercase letter, lowercase letter, numeric character, symbolic character.

password
required
string

The password is stored bcrypt encoded and cannot be retrieved in clear text once stored. It is possible to store a password that has been bcrypt encoded beforehand using, for example, the bcrypt-pw transit action.

totp
string

An optional totp service may be specified. If it is, then the user must supply a valid totp code that can be verified against the configured service, and the service must exist.

object

Metadata such as email, phone number, office etc can be associated with a user and will be included in tokens resulting from login on this entry.

no-totp-token-policies
Array of strings <name>

If this leaf-list is configured then the policies in this setting will be used in place of the token-policies until the user is authenticated together with a TOTP OTP. It can be used to limit the access of a user that has not yet enabled TOTP.

Array of objects
token-ttl
string <duration>

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

TTL of token. The lifetime can be extended using the renew operation.

token-max-ttl
string <duration>

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Max TTL a token can have before renewal is required.

token-policies
Array of strings <name>

These policies are associated with the token that results from successful login, in addition to any policies specified in the entity-alias and the entity.

token-auto-bound-cidrs
string <enumeration>
  • enumeration: - none: Do not set bound-cidrs automatically. (default) - host: Set bound-cidrs to the host address when token is created. - network: Set bound-cidrs to the network from where the token was created. The prefix defaults to 24, unless the subnet is specified in the token-bound-cidrs setting, in which case the same network prefix is used as in token-bound-cidrs.

Automatically set bound-cidrs of token to the host or network from where the token was created.

token-bound-cidrs
Array of strings <ip-address-and-prefix-length>
  • ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example 192.168.131.0/24.
  • ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example fe80::42:b6ff:feff:2f3/64. The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version.

Limit the use of the token to specific subnets. The token will be invalid if the src ip address originates from a subnet not listed in the token-bound-cidrs. All subnets are accepted if the list is empty.

token-explicit-max-ttl
string <duration>
Default: "0s"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Limits the possible lifetime of a token and will override ttl and max-ttl, as well as the lifetime of a periodic token.

token-no-default-policy
boolean
Default: false

Do not add the default policy to the token if this is set to true.

token-num-uses
integer <uint32>

Limit the number of times the token can be used.

token-period
string <duration>
Default: "0s"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

It allows a token to have an unlimited lifetime if renewed within the period. The default renewal TTL will be the period. A periodic token can still have a maximum life time if explicit-max-ttl is set. The renewable property needs to be true as well.

token-type
string <token-type>
Default: "default"
  • service
  • default
token-renewable
boolean
Default: true

Should the refresh operation be allowed for this token or not.

to (object) or sites (object) or deployments (object)
Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

patch/v1/config/strongbox/authentication/userpass/{userpass-name}
Request samples 
name: admin@acme.com
fullname: Administrator
password-min-length: 8
enforce-password-policy: true
password: $2y$05$rYE97YZutOhgdDsbpglH6O4BNj6KHcW6IYlqbG8L8F6kjtjNh8HH6
totp: admin
metadata:
  email: joe@admin.com
no-totp-token-policies:
  - default
passkeys:
  - id: kuitxOmQrrVSpfZe6RARxw==
    aaguid: UxEm1ucXQVyTID2appgSOQ==
    publicKey: |
      -----BEGIN PUBLIC KEY-----
      MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEmq7BEEwL6SOm966B6N/tBWDqRvm
      OgCdKwE+gppHHQwX3fseZdeepfW8QjorxbReE5fc1JLc8uBY2bURHA+aIg==
      -----END PUBLIC KEY-----
token-ttl: 14d
token-max-ttl: 30d
token-policies:
  - root
token-auto-bound-cidrs: network
token-bound-cidrs:
  - 192.168.1.0/24
token-explicit-max-ttl: 0s
token-no-default-policy: false
token-num-uses: 0
token-period: 0s
token-type: default
token-renewable: true
distribute:
  to: all

Delete an userpass

SecurityaccessToken
Request
path Parameters
userpass-name
required
string <email-address> ^["a-zA-Z0-9.!$'#%&*+-/=?^_`~{}]+@[a-zA-Z0-9....

name of userpass

query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

delete/v1/config/strongbox/authentication/userpass/{userpass-name}

Replace or create a new userpass

SecurityaccessToken
Request
path Parameters
userpass-name
required
string <email-address> ^["a-zA-Z0-9.!$'#%&*+-/=?^_`~{}]+@[a-zA-Z0-9....

name of userpass

query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Request Body schema:
name
required
string <email-address> ^["a-zA-Z0-9.!$'#%&*+-/=?^_`~{}]+@[a-zA-Z0-9....
fullname
string

Full name description of the user. Will be included as metadata in the resulting token.

password-min-length
integer <uint32>

Minimal length of password. Max length is 255.

enforce-password-policy
boolean

If set to true, meaning the password must meet at least 3 of the following conditions: uppercase letter, lowercase letter, numeric character, symbolic character.

password
required
string

The password is stored bcrypt encoded and cannot be retrieved in clear text once stored. It is possible to store a password that has been bcrypt encoded beforehand using, for example, the bcrypt-pw transit action.

totp
string

An optional totp service may be specified. If it is, then the user must supply a valid totp code that can be verified against the configured service, and the service must exist.

object

Metadata such as email, phone number, office etc can be associated with a user and will be included in tokens resulting from login on this entry.

no-totp-token-policies
Array of strings <name>

If this leaf-list is configured then the policies in this setting will be used in place of the token-policies until the user is authenticated together with a TOTP OTP. It can be used to limit the access of a user that has not yet enabled TOTP.

Array of objects
token-ttl
string <duration>

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

TTL of token. The lifetime can be extended using the renew operation.

token-max-ttl
string <duration>

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Max TTL a token can have before renewal is required.

token-policies
Array of strings <name>

These policies are associated with the token that results from successful login, in addition to any policies specified in the entity-alias and the entity.

token-auto-bound-cidrs
string <enumeration>
  • enumeration: - none: Do not set bound-cidrs automatically. (default) - host: Set bound-cidrs to the host address when token is created. - network: Set bound-cidrs to the network from where the token was created. The prefix defaults to 24, unless the subnet is specified in the token-bound-cidrs setting, in which case the same network prefix is used as in token-bound-cidrs.

Automatically set bound-cidrs of token to the host or network from where the token was created.

token-bound-cidrs
Array of strings <ip-address-and-prefix-length>
  • ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example 192.168.131.0/24.
  • ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example fe80::42:b6ff:feff:2f3/64. The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version.

Limit the use of the token to specific subnets. The token will be invalid if the src ip address originates from a subnet not listed in the token-bound-cidrs. All subnets are accepted if the list is empty.

token-explicit-max-ttl
string <duration>
Default: "0s"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Limits the possible lifetime of a token and will override ttl and max-ttl, as well as the lifetime of a periodic token.

token-no-default-policy
boolean
Default: false

Do not add the default policy to the token if this is set to true.

token-num-uses
integer <uint32>

Limit the number of times the token can be used.

token-period
string <duration>
Default: "0s"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

It allows a token to have an unlimited lifetime if renewed within the period. The default renewal TTL will be the period. A periodic token can still have a maximum life time if explicit-max-ttl is set. The renewable property needs to be true as well.

token-type
string <token-type>
Default: "default"
  • service
  • default
token-renewable
boolean
Default: true

Should the refresh operation be allowed for this token or not.

to (object) or sites (object) or deployments (object)
Responses
201

Created

204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

put/v1/config/strongbox/authentication/userpass/{userpass-name}
Request samples 
name: admin@acme.com
fullname: Administrator
password-min-length: 8
enforce-password-policy: true
password: $2y$05$rYE97YZutOhgdDsbpglH6O4BNj6KHcW6IYlqbG8L8F6kjtjNh8HH6
totp: admin
metadata:
  email: joe@admin.com
no-totp-token-policies:
  - default
passkeys:
  - id: kuitxOmQrrVSpfZe6RARxw==
    aaguid: UxEm1ucXQVyTID2appgSOQ==
    publicKey: |
      -----BEGIN PUBLIC KEY-----
      MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEmq7BEEwL6SOm966B6N/tBWDqRvm
      OgCdKwE+gppHHQwX3fseZdeepfW8QjorxbReE5fc1JLc8uBY2bURHA+aIg==
      -----END PUBLIC KEY-----
token-ttl: 14d
token-max-ttl: 30d
token-policies:
  - root
token-auto-bound-cidrs: network
token-bound-cidrs:
  - 192.168.1.0/24
token-explicit-max-ttl: 0s
token-no-default-policy: false
token-num-uses: 0
token-period: 0s
token-type: default
token-renewable: true
distribute:
  to: all

Retrieve the configuration of an userpass

SecurityaccessToken
Request
path Parameters
userpass-name
required
string <email-address> ^["a-zA-Z0-9.!$'#%&*+-/=?^_`~{}]+@[a-zA-Z0-9....

name of userpass

query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

get/v1/config/strongbox/authentication/userpass/{userpass-name}
Response samples 
name: admin@acme.com
fullname: Administrator
password-min-length: 8
enforce-password-policy: true
password: $2y$05$rYE97YZutOhgdDsbpglH6O4BNj6KHcW6IYlqbG8L8F6kjtjNh8HH6
totp: admin
metadata:
  email: joe@admin.com
no-totp-token-policies:
  - default
passkeys:
  - id: kuitxOmQrrVSpfZe6RARxw==
    aaguid: UxEm1ucXQVyTID2appgSOQ==
    publicKey: |
      -----BEGIN PUBLIC KEY-----
      MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEmq7BEEwL6SOm966B6N/tBWDqRvm
      OgCdKwE+gppHHQwX3fseZdeepfW8QjorxbReE5fc1JLc8uBY2bURHA+aIg==
      -----END PUBLIC KEY-----
token-ttl: 14d
token-max-ttl: 30d
token-policies:
  - root
token-auto-bound-cidrs: network
token-bound-cidrs:
  - 192.168.1.0/24
token-explicit-max-ttl: 0s
token-no-default-policy: false
token-num-uses: 0
token-period: 0s
token-type: default
token-renewable: true
distribute:
  to: all

Retrieve the state of all userpasses

SecurityaccessToken
Request
query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

site
string

Send the request to the specfifed site

content
string <enumeration>

Filter descendant nodes in the response

Enum: "config" "nonconfig"
keys
string <enumeration>

Retrieve only the keys for the list

Value: "true"
count
string <enumeration>

Retrieve only the number of elements in the list

Value: "true"
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

get/v1/state/strongbox/authentication/userpass
Response samples 
- name: admin@acme.com
  fullname: Administrator
  password-min-length: 8
  enforce-password-policy: true
  password: $2y$05$rYE97YZutOhgdDsbpglH6O4BNj6KHcW6IYlqbG8L8F6kjtjNh8HH6
  totp: admin
  creation-time: 2022-01-11T15:49:54.078484Z
  metadata:
    email: joe@admin.com
  no-totp-token-policies:
    - default
  passkeys:
    - id: kuitxOmQrrVSpfZe6RARxw==
      aaguid: UxEm1ucXQVyTID2appgSOQ==
      publicKey: |
        -----BEGIN PUBLIC KEY-----
        MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEmq7BEEwL6SOm966B6N/tBWDqRvm
        OgCdKwE+gppHHQwX3fseZdeepfW8QjorxbReE5fc1JLc8uBY2bURHA+aIg==
        -----END PUBLIC KEY-----
  token-ttl: 14d
  token-max-ttl: 30d
  token-policies:
    - root
  token-auto-bound-cidrs: network
  token-bound-cidrs:
    - 192.168.1.0/24
  token-explicit-max-ttl: 0s
  token-no-default-policy: false
  token-num-uses: 0
  token-period: 0s
  token-type: default
  token-renewable: true
  failed-count: 0
  last-failed-time: 2023-10-01T12:00:00Z
  distribute:
    to: all
  distribution-status:
    to: all
  derived-policies:
    - default
    - root

Retrieve the the state of userpass settings

SecurityaccessToken
Request
query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

site
string

Send the request to the specfifed site

content
string <enumeration>

Filter descendant nodes in the response

Enum: "config" "nonconfig"
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

get/v1/state/strongbox/authentication/userpass-settings
Response samples 
password-min-length: 12
enforce-password-policy: true
allowed-failed-login-attempts: 5
lockout-threshold: 15m
lockout-reset-threshold: 45m
passkey-rpid: example.com
passkey-rpname: Example Corp
passkey-login-url: https://avassa.com
passkey-challenge-ttl: 5m
passkey-max-pending: 1000
distribute:
  to: all
distribution-status:
  to: all

Retrieve the state of an userpass

SecurityaccessToken
Request
path Parameters
userpass-name
required
string <email-address> ^["a-zA-Z0-9.!$'#%&*+-/=?^_`~{}]+@[a-zA-Z0-9....

name of userpass

query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

site
string

Send the request to the specfifed site

content
string <enumeration>

Filter descendant nodes in the response

Enum: "config" "nonconfig"
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

get/v1/state/strongbox/authentication/userpass/{userpass-name}
Response samples 
name: admin@acme.com
fullname: Administrator
password-min-length: 8
enforce-password-policy: true
password: $2y$05$rYE97YZutOhgdDsbpglH6O4BNj6KHcW6IYlqbG8L8F6kjtjNh8HH6
totp: admin
creation-time: 2022-01-11T15:49:54.078484Z
metadata:
  email: joe@admin.com
no-totp-token-policies:
  - default
passkeys:
  - id: kuitxOmQrrVSpfZe6RARxw==
    aaguid: UxEm1ucXQVyTID2appgSOQ==
    publicKey: |
      -----BEGIN PUBLIC KEY-----
      MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEmq7BEEwL6SOm966B6N/tBWDqRvm
      OgCdKwE+gppHHQwX3fseZdeepfW8QjorxbReE5fc1JLc8uBY2bURHA+aIg==
      -----END PUBLIC KEY-----
token-ttl: 14d
token-max-ttl: 30d
token-policies:
  - root
token-auto-bound-cidrs: network
token-bound-cidrs:
  - 192.168.1.0/24
token-explicit-max-ttl: 0s
token-no-default-policy: false
token-num-uses: 0
token-period: 0s
token-type: default
token-renewable: true
failed-count: 0
last-failed-time: 2023-10-01T12:00:00Z
distribute:
  to: all
distribution-status:
  to: all
derived-policies:
  - default
  - root
➔ Next to Userpass